Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

Governing for Enterprise Security (GES) Implementation Guide Article 2: Defining an Effective Enterprise Security Program (ESP)

  • March 2007
  • Governing for Enterprise Security (GES) Implementation Guide Article 2: Defining an Effective Enterprise Security Program (ESP)
  • Publisher: Software Engineering Institute
  • Abstract

    This article builds on Article 1: Characteristics of Effective Security Governance and provides a comprehensive description of an enterprise security program (ESP). It highlights those aspects of an ESP that require governance action. The goal of this article is to enable the reader to understand what governance of security means, what it applies to, and how it is exercised.

    To be successful, the program requires a security culture and the cooperation of the entire organization. This is achieved by establishing and reinforcing the security “tone” set at the top of the organization, reflected in top-level policies and an effective governance structure. This structure includes a cross-organizational security team, designated key personnel — such as the chief risk officer (CRO), chief security officer (CSO),1 general counsel (GC), chief information officer (CIO) and others — and the involvement of operational staff. Internal audit has an independent role in auditing the ESP's effectiveness in addressing organizational security risks.

    An ESP consists of a series of activities that support an enterprise risk management plan (RMP) and result in the development and maintenance of

    • a long-term enterprise security strategy (ESS)
    • an overarching enterprise security plan (which may be supported by underlying business unit security plans and security plans for individual systems)
    • security policies, procedures, and other artifacts
    • the system architecture and supporting documentation

    Figure 1 depicts the hierarchical relationship of these documents and activities.

  • Download